bpf

问题 Idea is to use argdist to measure latency duration of napi_poll() which returns number of packet processed (called work). Ratio of execution latency of napi_poll() to number of packets processed would give me average amount of time it took to process each packet in form of histogram. I am using following command argdist -H 'r:c:napi_poll():u64:$latency/$retval#avg time per packet (ns)' which end up giving me error Failed to attach BPF to kprobe and in dmesg I get message like Could not insert

问题 Idea is to use argdist to measure latency duration of napi_poll() which returns number of packet processed (called work). Ratio of execution latency of napi_poll() to number of packets processed would give me average amount of time it took to process each packet in form of histogram. I am using following command argdist -H 'r:c:napi_poll():u64:$latency/$retval#avg time per packet (ns)' which end up giving me error Failed to attach BPF to kprobe and in dmesg I get message like Could not insert

问题 I am trying to write a BPF program that examines the session ID of any process that calls the tty_write kernel function. I am trying to do this by retrieving a field from the current task_struct struct. My code is as follows: SEC("kprobe/tty_write") int kprobe__tty_write(struct pt_regs *ctx) { struct task_struct *task; struct task_struct *group_leader; struct pid_link pid_link; struct pid pid; int sessionid; // get current sessionid task = (struct task_struct *)bpf_get_current_task(); bpf

问题 I am trying to write a BPF program that examines the session ID of any process that calls the tty_write kernel function. I am trying to do this by retrieving a field from the current task_struct struct. My code is as follows: SEC("kprobe/tty_write") int kprobe__tty_write(struct pt_regs *ctx) { struct task_struct *task; struct task_struct *group_leader; struct pid_link pid_link; struct pid pid; int sessionid; // get current sessionid task = (struct task_struct *)bpf_get_current_task(); bpf

问题 I am trying to retrieve the mount namespace of the current task in a BPF program as follows: task = (struct task_struct *)bpf_get_current_task(); bpf_probe_read(&nsproxy, sizeof(nsproxy), (void *)&task->nsproxy); bpf_probe_read(&mnt_ns, sizeof(mnt_ns), (void *)&nsproxy->mnt_ns); bpf_probe_read(&ns, sizeof(ns), (void *)&mnt_ns->ns); mnt_ns_inum = ns.inum; This works fine using an Ubuntu kernel ( uname -r : 4.15.0-13-generic) and mnt_ns_inum gets a value of 4026531840 for tasks in the host's

问题 After reading man bpf and a few other sources of documentation, I was under impression that a map can be only created by user process. However the following small program seems to magically create bpf map: struct bpf_map_def SEC("maps") my_map = { .type = BPF_MAP_TYPE_ARRAY, .key_size = sizeof(u32), .value_size = sizeof(long), .max_entries = 10, }; SEC("sockops") int my_prog(struct bpf_sock_ops *skops) { u32 key = 1; long *value; ... value = bpf_map_lookup_elem(&my_map, &key); ... return 1; }

问题 GOAL: write a new ebpf example within samples/bpf directory in the kernel source tree of 4.18.0, compile and execute it. PROBLEM: after compiling it when I run sudo ./mine it just terminates. mine_kern.c #include <uapi/linux/bpf.h> #include <uapi/linux/if_ether.h> #include <uapi/linux/ip.h> #include <linux/in.h> #include <linux/if_packet.h> #include "bpf_helpers.h" int icmp_filter(struct __sk_buff *skb){ int proto = load_byte(skb, ETH_HLEN + offsetof(struct iphdr, protocol)); if(proto ==

问题 I was looking at the different types of BPF program, and noticed that for different program types the context is being passed differently. Example: For program type BPF_PROG_TYPE_SOCK_OPS , an object of type struct bpf_sock_ops_kern is passed. However, the BPF program of this type takes a reference to struct bpf_sock_ops. Why is it done this way and where is the "translation" from bpf_sock_ops_kern to bpf_sock_ops ? For program type BPF_PROG_TYPE_CGROUP_SKB , an object of type struct sk_buff

问题 GOAL: write a simple packet filter using BPF. The packet filter should allow you to choose the interface. PROBLEM: if I uncomment the third to last instruction in the code (where there is a call to recvfrom , the execution just hangs and I can't see no output (neither "buffer zeroed" which I should be able to see in the stdout). QUESTIONS: 1) how can I fix it? 2) why the programs hangs during the execution and doesn't show the first printf output? 3) how can I receive from ANY interface?

问题 I am trying to load an eBPF program via the bpf syscall in Go but am seeing an error returned from the syscall. In order to restrict the problem I am using the following minimal eBPF program, which does nothing: struct task_group {}; The important parts of the Go program are as follows: b, err := ioutil.ReadFile("bpf/bbf_tty.o") if err != nil { fmt.Print(err) } progType := BPF_PROG_TYPE_KPROBE insns := unsafe.Pointer(&b) insnCnt := len(b) lba := struct { progType uint32 pad0 [4]byte insnCnt